CVE-2018-1118 — LOW (2.3) — White Hats Nepal

Q: How severe is CVE-2018-1118?

CVE-2018-1118 has been rated LOW with a CVSS base score of 2.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-1118?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Debian Debian Linux, Canonical Ubuntu Linux, Redhat Virtualization Host, Redhat Enterprise Linux Desktop.

Vulnerability Description

Linux kernel vhost since version 4.8 does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.

CVSS Score

2.3

LOW

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Linux	Linux Kernel	>= 4.8, < 4.18
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	16.04
Redhat	Virtualization Host	4.0
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Workstation	7.0

Related Weaknesses (CWE)

CWE-665 CWE-200

References

https://access.redhat.com/errata/RHSA-2018:2948Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3083Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3096Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1118Issue TrackingThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00020.htmlMailing ListThird Party Advisory
https://usn.ubuntu.com/3762-1/Third Party Advisory
https://usn.ubuntu.com/3762-2/Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2948Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3083Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3096Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1118Issue TrackingThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/07/msg00020.htmlMailing ListThird Party Advisory
https://usn.ubuntu.com/3762-1/Third Party Advisory
https://usn.ubuntu.com/3762-2/Third Party Advisory

FAQ

What is CVE-2018-1118?

CVE-2018-1118 is a vulnerability with a CVSS score of 2.3 (LOW). Linux kernel vhost since version 4.8 does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can...

How severe is CVE-2018-1118?

CVE-2018-1118 has been rated LOW with a CVSS base score of 2.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1118?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Debian Debian Linux, Canonical Ubuntu Linux, Redhat Virtualization Host, Redhat Enterprise Linux Desktop.